Sophos issues

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jan 28 19:03:37 GMT 2003 

One more thing, is this just being experienced by Sophos users?
How about all you F-Prot users out there?

At 18:49 28/01/2003, you wrote:
>But I still haven't been sent any examples of a file in its
>corrupt+noncorrupt state.
>The curious thing is that the MIME parsing & regenerating code hasn't
>changed since I first wrote V4, and that code is functionally the same as
>that in V3.
>
>So why has this only just become a problem? My MIME code hasn't changed.
>
>At 16:45 28/01/2003, you wrote:
>>My initial testing with the new release is that it acts the same as the
>>old release... But part of the problem is that the only files I currently
>>have for testing are files that look like they are already corrupted.  So,
>>I don't know if the new version really fixes it or not.  It is definitely
>>the case that corrupted PDF and XLS files come out on the other end as
>>being flagged {Virus?} and (corrupt), which is still not desired.
>>
>>Scott
>>
>>--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins
>><adkinss at OHIO.EDU> wrote:
>>
>>>Ah, okay... I will give that a try... I will let you know what happens...
>>>
>>>Scott
>>>
>>>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field
>>><mailscanner at ECS.SOTON.AC.UK> wrote:
>>>
>>>>Can I suggest you upgrade to the latest 3.66 release of Sophos.
>>>>I have been sent a few files which 3.62 and other releases complains are
>>>>corrupt.
>>>>3.66 happily scans them.
>>>>
>>>>At 17:59 27/01/2003, you wrote:
>>>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
>>>>><mailscanner at ECS.SOTON.AC.UK> wrote:
>>>>>
>>>>>>>   The files are already
>>>>>>>"corrupt" by the time that Sophos sees it (basically, it can't see
>>>>>>>both the start of the file and the end of the file, is what I was
>>>>>>>told).  I asked about the RAR archives, and she said that Sophos
>>>>>>>currently can't scan RAR version 3 archives, but that will be
>>>>>>>available in the next release.  She suggested that I quarantine
>>>>>>>messages and release the files that get labeled corrupted, or in the
>>>>>>>case of the RAR files, maybe put the file extension on a whitelist,
>>>>>>>basically.
>>>>>>
>>>>>>When it finds a file is corrupt, MailScanner removes it, right?
>>>>>
>>>>>Actually no... It looks like the attachments come through okay, though,
>>>>>the files are indeed corrupted.  I am still trying to get the original
>>>>>fines from the authors to see if they started that way or not... So, I
>>>>>can't know for sure what happens, but the attachment doesn't appear to
>>>>>be removed, just a warning message inserted into the body of the message
>>>>>indicating that the file is corrupted.
>>>>>
>>>>>>Is it happening often enough that you could archive all mail for a
>>>>>>little while until it happens? If so, we can actually get a test case
>>>>>>together to prove exactly what is happening to the message. Until I can
>>>>>>get my hands on a test case, it is very difficult to work out what is
>>>>>>happening.
>>>>>
>>>>>I don't think so... We get several hundred emails going through our
>>>>>system a minute... We have enough problems trying to stay afloat with
>>>>>CPU load and (especially) disk I/O.  When we turned on quarantining for
>>>>>about a 10 hour time period, we had about 1.5GB of disk space
>>>>>consumed... so, it makes me a bit afraid to do anything on our
>>>>>production server like that :-)
>>>>>
>>>>>>Are they suggesting that the file put into the quarantine is actually
>>>>>>okay, but the file being scanned is not? That would be a neat trick...
>>>>>
>>>>>That is a good point... My concern was with regards of a message coming
>>>>>in that was fine and somehow MailScanner or Sophos was corrupting the
>>>>>message and that was what got put into the attachment... but that seems
>>>>>a bit less likely at this point, and I feel like the file is starting
>>>>>out corrupt.  If I had to guess right now, Sophos is expecting
>>>>>documents to be exactly compliant with those document standard formats
>>>>>(i.e. DOC files must follow Microsoft Word Document format, PDF files
>>>>>follow Adobe PDF file formats etc).  There doesn't appear to be much
>>>>>room in the way of flexibility.  I have seen other programs, like Star
>>>>>Office, write their documents that are mostly compliant, but not quite,
>>>>>and maybe those would be flagged by Sophos as being corrupted.
>>>>>Anyways, those are guesses.
>>>>>
>>>>>>>What would be really helpful, at this point, is a way for me to set an
>>>>>>>option to allow corrupted files to pass through MailScanner without
>>>>>>>being flagged as viruses and without being touched.  The same goes for
>>>>>>>scanning of external MIME attachments (which is another thread).
>>>>>>>There should be an option to not flag those as viruses and to allow
>>>>>>>the messages to pass through untouched.  Both of these issues are
>>>>>>>generated support calls for us right now.
>>>>>>
>>>>>>The "external bodies" switch will be in the next version. I'll have to
>>>>>>take a look at how easy it would be to add a switch for the other bit.
>>>>>
>>>>>Great!  I will let the users know about this (the external bodies
>>>>>thing).
>>>>>
>>>>>>How come this is only happening with Sophos? No-one else is reporting
>>>>>>any problems, only the people using Sophos.
>>>>>
>>>>>That is a good point... If I knew our system could support another virus
>>>>>scanner, such as ClamV or something like that, I would put it on.... as
>>>>>is, we are now running without spam checking just so we can get some
>>>>>benefit of MailScanner doing virus checking on messages... when we start
>>>>>to fall behind in the mail queues, even that gets turned off.
>>>>>
>>>>>On average, we get several hundred messages a minute.  When we get
>>>>>spammed (usually by our own university departments), we get way more
>>>>>than that :)
>>>>>
>>>>>Scott
>>>>>--
>>>>>+----------------------------------------------------------------------
>>>>>-+ Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>>>>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu ICQ
>>>>>        7626282                 Work (740)593-9478 Fax (740)593-1944
>>>>>+----------------------------------------------------------------------
>>>>>-+ PGP Public Key available at
>>>>>http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>MailScanner thanks transtec Computers for their support
>>>
>>>
>>>--
>>>  +-----------------------------------------------------------------------+
>>>       Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>>    UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>>>         ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>>>  +-----------------------------------------------------------------------+
>>>      PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
>>
>>
>>--
>>+-----------------------------------------------------------------------+
>>      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
>>   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
>>        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
>>+-----------------------------------------------------------------------+
>>     PGP Public Key available at
>>http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list