Sophos issues

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jan 28 18:49:36 GMT 2003 

But I still haven't been sent any examples of a file in its
corrupt+noncorrupt state.
The curious thing is that the MIME parsing & regenerating code hasn't
changed since I first wrote V4, and that code is functionally the same as
that in V3.

So why has this only just become a problem? My MIME code hasn't changed.

At 16:45 28/01/2003, you wrote:
>My initial testing with the new release is that it acts the same as the
>old release... But part of the problem is that the only files I currently
>have for testing are files that look like they are already corrupted.  So,
>I don't know if the new version really fixes it or not.  It is definitely
>the case that corrupted PDF and XLS files come out on the other end as
>being flagged {Virus?} and (corrupt), which is still not desired.
>
>Scott
>
>--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins
><adkinss at OHIO.EDU> wrote:
>
>>Ah, okay... I will give that a try... I will let you know what happens...
>>
>>Scott
>>
>>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field
>><mailscanner at ECS.SOTON.AC.UK> wrote:
>>
>>>Can I suggest you upgrade to the latest 3.66 release of Sophos.
>>>I have been sent a few files which 3.62 and other releases complains are
>>>corrupt.
>>>3.66 happily scans them.
>>>
>>>At 17:59 27/01/2003, you wrote:
>>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
>>>><mailscanner at ECS.SOTON.AC.UK> wrote:
>>>>
>>>>>>   The files are already
>>>>>>"corrupt" by the time that Sophos sees it (basically, it can't see
>>>>>>both the start of the file and the end of the file, is what I was
>>>>>>told).  I asked about the RAR archives, and she said that Sophos
>>>>>>currently can't scan RAR version 3 archives, but that will be
>>>>>>available in the next release.  She suggested that I quarantine
>>>>>>messages and release the files that get labeled corrupted, or in the
>>>>>>case of the RAR files, maybe put the file extension on a whitelist,
>>>>>>basically.
>>>>>
>>>>>When it finds a file is corrupt, MailScanner removes it, right?
>>>>
>>>>Actually no... It looks like the attachments come through okay, though,
>>>>the files are indeed corrupted.  I am still trying to get the original
>>>>fines from the authors to see if they started that way or not... So, I
>>>>can't know for sure what happens, but the attachment doesn't appear to
>>>>be removed, just a warning message inserted into the body of the message
>>>>indicating that the file is corrupted.
>>>>
>>>>>Is it happening often enough that you could archive all mail for a
>>>>>little while until it happens? If so, we can actually get a test case
>>>>>together to prove exactly what is happening to the message. Until I can
>>>>>get my hands on a test case, it is very difficult to work out what is
>>>>>happening.
>>>>
>>>>I don't think so... We get several hundred emails going through our
>>>>system a minute... We have enough problems trying to stay afloat with
>>>>CPU load and (especially) disk I/O.  When we turned on quarantining for
>>>>about a 10 hour time period, we had about 1.5GB of disk space
>>>>consumed... so, it makes me a bit afraid to do anything on our
>>>>production server like that :-)
>>>>
>>>>>Are they suggesting that the file put into the quarantine is actually
>>>>>okay, but the file being scanned is not? That would be a neat trick...
>>>>
>>>>That is a good point... My concern was with regards of a message coming
>>>>in that was fine and somehow MailScanner or Sophos was corrupting the
>>>>message and that was what got put into the attachment... but that seems
>>>>a bit less likely at this point, and I feel like the file is starting
>>>>out corrupt.  If I had to guess right now, Sophos is expecting
>>>>documents to be exactly compliant with those document standard formats
>>>>(i.e. DOC files must follow Microsoft Word Document format, PDF files
>>>>follow Adobe PDF file formats etc).  There doesn't appear to be much
>>>>room in the way of flexibility.  I have seen other programs, like Star
>>>>Office, write their documents that are mostly compliant, but not quite,
>>>>and maybe those would be flagged by Sophos as being corrupted.
>>>>Anyways, those are guesses.
>>>>
>>>>>>What would be really helpful, at this point, is a way for me to set an
>>>>>>option to allow corrupted files to pass through MailScanner without
>>>>>>being flagged as viruses and without being touched.  The same goes for
>>>>>>scanning of external MIME attachments (which is another thread).
>>>>>>There should be an option to not flag those as viruses and to allow
>>>>>>the messages to pass through untouched.  Both of these issues are
>>>>>>generated support calls for us right now.
>>>>>
>>>>>The "external bodies" switch will be in the next version. I'll have to
>>>>>take a look at how easy it would be to add a switch for the other bit.
>>>>
>>>>Great!  I will let the users know about this (the external bodies
>>>>thing).
>>>>
>>>>>How come this is only happening with Sophos? No-one else is reporting
>>>>>any problems, only the people using Sophos.
>>>>
>>>>That is a good point... If I knew our system could support another virus
>>>>scanner, such as ClamV or something like that, I would put it on.... as
>>>>is, we are now running without spam checking just so we can get some
>>>>benefit of MailScanner doing virus checking on messages... when we start
>>>>to fall behind in the mail queues, even that gets turned off.
>>>>
>>>>On average, we get several hundred messages a minute.  When we get
>>>>spammed (usually by our own university departments), we get way more
>>>>than that :)
>>>>
>>>>Scott
>>>>--
>>>>+----------------------------------------------------------------------
>>>>-+ Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>>>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu ICQ
>>>>        7626282                 Work (740)593-9478 Fax (740)593-1944
>>>>+----------------------------------------------------------------------
>>>>-+ PGP Public Key available at
>>>>http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>
>>
>>--
>>  +-----------------------------------------------------------------------+
>>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>>  +-----------------------------------------------------------------------+
>>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
>
>
>--
>+-----------------------------------------------------------------------+
>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>+-----------------------------------------------------------------------+
>     PGP Public Key available at
> http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list